2
6 flow-nfilter — Filter flows.
7
9 flow-nfilter [-hk] [-b big|little] [-C comment] [-d debug_level]
10 [-f filter_fname] [-F filter_definition] [-v variable binding] [-z
11 z_level]
12
14 The flow-nfilter utility will filter flows based on user selectable
15 criteria. Filters are defined in a configuration file and are composed
16 of primitives and a definition. Definitions contain match lines
17 grouped to form logical AND and OR operations on the flow using the
18 selected primitives. A definition may contain the invert command which
19 will invert the result of the evaluation.
20 Words in the configuration file of the form @VAR or @{VAR:-default}
22 will be expanded at run-time by setting variable names with the -v
23 option.
24 Filter primitives begin with the filter-primitive keyword followed by a
26 symbolic name. Each primitive has a type defined below. A list of
27 permit and or deny keywords followed by an argument are later evaulated
28 to determine if the flow is permitted or denied. The default action
29 for a primitive is to deny which may be changed with the default key‐
30 word. Symbolic substitutions are done where appropriate.
31 The match keyword in a definition selects the criteria to match a prim‐
33 itive. A match type may allow more than one type of primitive, for
34 example the src-ip-addr match type will accept any of {ip-address, ip-
35 address-mask, ip-address-prefix} primitive types.
36 Primitive type Type Description/Example
38 -------------------------------------------------------------------
39 as Bucket Autonomous System Number.
40 600,159,3112
41 ip-address-prefix-len Numeric Integer from 0 to 32.
43 16-31
44 ip-protocol Bucket Integer from 0 to 255.
46 6,17,1
47 ip-tos Bucket Integer from 0 to 255 with mask.
49 0xA0/0xE0
50 ip-tcp-flags Bucket Integer from 0 to 255 with mask.
52 0x2/0x2
53 ifindex Bucket Integer from 0 to 65535
55 0,5,10
56 engine Bucket Integer from 0 to 255.
58 0
59 ip-port Bucket Integer from 0 to 65535.
61 80,8080,23,22
62 ip-address Hash List of IP Addresses.
64 10.0.0.1
65 ip-address-mask List List of IP address/mask pairs.
67 10.1.0.0 255.255.0.0
68 ip-address-prefix Trie List of IP address/mask pairs.
70 10.1/16
71 tag Hash List of tags.
73 0xFF00
74 tag-mask List List of tags.
76 0xF000/0xFF00
77 counter List List of Integers with qualifier.
79 lt 32
80 time List List of relative time specifiers.
82 gt 5:00
83 time-date List List of absolute time specifiers.
85 gt December 12, 2002 5:13:21
86 double List List of doubles with qualifier.
88 lt 32.0
89 rate Element Rate is calculated as 1/rate.
91 permit 100
92 Match type Description Primitives accepted
96 -------------------------------------------------------------------
97 source-as Source AS as
98 destination-as Destination AS as
100 ip-source-address Source IP Address ip-address,
102 ip-address-mask,
103 ip-address-prefix
104 ip-destination-address Destination IP Address ip-address,
106 ip-address-mask,
107 ip-address-prefix
108 ip-exporter-address Exporter IP Address ip-address,
110 ip-address-mask,
111 ip-address-prefix
112 ip-nexthop-address NextHop IP Address ip-address,
114 ip-address-mask,
115 ip-address-prefix
116 ip-shortcut-address Shortcut IP Address ip-address,
118 ip-address-mask,
119 ip-address-prefix
120 ip-protocol IP Protocol ip-protocol
122 ip-source-address-prefix-len
124 Source IP address ip-address-prefix-len
125 prefix length
126 ip-destination-address-prefix-len
128 Destination IP address ip-address-prefix-len
129 prefix length
130 ip-tos IP Type Of Service ip-tos
132 ip-marked-tos IP Type Of Service ip-tos
134 ip-tcp-flags IP/TCP Flags ip-tcp-flags
136 ip-source-port Source IP Port ip-port
138 eg TCP/UDP
139 ip-destination-port Destination IP Port ip-port
141 eg TCP/UDP
142 input-interface Source ifIndex ifindex
144 eg Input Interface
145 output-interface Destination ifIndex ifindex
147 eg Output Interface
148 start-time Start Time of flow time, time-date
150 end-time End Time of Flow time, time-date
152 flows Number of flows counter
154 octets Number of octets counter
156 packets Number of packets counter
158 duration Duration of flow in ms counter
160 engine-id Engine ID engine
162 engine-type Engine Type engine
164 source-tag Source Tag tag, tag-mask
166 destination-tag Destination Tag tag, tag-mask
168 pps Packets Per Second double
170 bps Bits Per Second double
172 random-sample Random Sample rate
174
176 -b big|little
177 Byte order of output.
178 -C Comment
180 Add a comment.
181 -d debug_level
183 Enable debugging.
184 -f filter_fname
186 Filter list filename. Defaults to /var/flow-tools/cfg/fil‐
187 ter.
188 -F filter_definition
190 Select the active definition. Defaults to default.
191 -h Display help.
193 -k Keep time from input.
195 -v variable binding
197 Set a variable FOO=bar.
198 -z z_level
200 Configure compression level to z_level. 0 is disabled (no
201 compression), 9 is highest compression.
202
204 time-date parsing is implemented with getdate.y, a commonly used func‐
205 tion to process free-form time date specifications. Example usage bor‐
206 rowed from cvs:
207 1 month ago
208 2 hours ago
209 400000 seconds ago
210 last year
211 last Monday
212 yesterday
213 a fortnight ago
214 3/31/92 10:00:07 PST
215 January 23, 1987 10:05pm
216 22:00 GMT
217
219 An example of filter configuration file.
220 filter-primitive srate
222 type rate
223 permit 100
224 filter-primitive test-as
226 type as
227 permit 600,159
228 filter-primitive test-prefix-len
230 type ip-address-prefix-len
231 permit 32
232 filter-primitive test-protocol
234 type ip-protocol
235 permit tcp
236 filter-primitive test-tos
238 type ip-tos
239 mask 0xA0
240 permit 0xE0
241 filter-primitive test-tcp-flags
243 type ip-tcp-flags
244 mask 0x2
245 permit 0x2
246 filter-primitive test-ifindex
248 type ifindex
249 permit 0,5,10
250 filter-primitive test-engine
252 type engine
253 permit 0
254 filter-primitive test-port
256 type ip-port
257 permit https
258 permit 80
259 default deny
260 filter-primitive test-address
262 type ip-address
263 permit 0.0.0.1
264 permit 0.0.0.2
265 default deny
266 filter-primitive test-address-mask
268 type ip-address-mask
269 permit 128.146.197.1 255.255.255.255
270 permit 128.146.197.2 255.255.255.255
271 filter-primitive test-prefix
273 type ip-address-prefix
274 permit 128.146.0.0/16
275 default deny
276 filter-primitive test-tag
278 type tag
279 permit 0x00
280 permit 0x01
281 permit 0xFF
282 filter-primitive test-tag-mask
284 type tag-mask
285 permit OSU 0xFF
286 permit 0xFF 0xFF
287 default deny
288 filter-primitive test-counter
290 type counter
291 permit lt 5
292 permit gt 10
293 default deny
294 filter-primitive test-time-date
296 type time-date
297 permit gt December 12, 2002 5:13:21
298 filter-primitive test-time
300 type time-date
301 permit gt 12:15:00
302 filter-definition sample-1-in-100
304 match random-sample srate
305 filter-definition t1
307 match engine-type test-engine
308 or
309 match destination-tag test-tag-mask
310 Display all flows with a destination port of 80 or source port of 25
312 (smtp) starting after Dec 12, 2001. The file test is populated with
313 the following:
314 filter-primitive port80
317 type ip-port
318 permit 80
319 filter-primitive port25
321 type ip-port
322 permit smtp
323 filter-primitive dec12
325 type time-date
326 permit gt Dec 12, 2001
327 filter-definition foo
329 match ip-source-port port80
330 match start-time dec12
331 or
332 match ip-destination-port port25
333 match start-time dec12
334 flow-cat flows | flow-nfilter -ftest -Ffoo | flow-print
336
338 Configuration files:
339 Symbols - /var/flow-tools/sym/*.
340 Tag - /var/flow-tools/cfg/tag.cfg.
341 Filter - /var/flow-tools/cfg/filter.cfg.
342
344 None known.
345
347 Mark Fullmer maf@splintered.net
348
350 flow-tools(1)
351 flow-nfilter(1)